Dark Caracal: The Anatomy of a Covert Op

This morning, Lookout and the Electronic Frontier Foundation released a joint report about their investigation into a spy operation linked to the Lebanese government dubbed “Dark Caracal”. It’s a fascinating read, both for the information it reveals about the methodology of state-sponsored espionage and methodology of the investigators who uncovered it.

Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions during this investigation. Types of data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.

 

From this report, several ironies emerge. Firstly, the attack was carried out by releasing hijacked versions of popular secure texting apps, such as What’sApp, which are often billed as a form of protection against this kind of spying. Second, the investigation was made possible by analyzing data that Lookout has amassed from millions of cell phones running their own app; the only reason they were able to document this operation so thoroughly is that they are essentially spying on their users(!).

So what does this mean for the privacy-conscious, cell-phone wielding public? As the report confirms, this attack was able to succeed because users were tricked into willingly (if unwittingly) downloading and installing malware on to their devices. It is the usual story with these kinds of hacks: they use social engineering as their foot in the door. Humans are nearly always the weakest link in any security scheme, which is why they’re so heavily targeted. Strong passwords and encryption can only take us so far. If we wish to be truly protected, we also need to educate ourselves about the threats we face and approach our device usage with a cautious and critical mindset.

I encourage everyone to read the report and learn from it what they can.

Takeaways

  • Be suspicious of any attempts to get you to follow links or download software, especially using shortened URLs (such as bit.ly or goo.gl). Attackers often pose as representatives of online services and set up fake web addresses that may appear at first glance to be legitimate (e.g. facebookservices.org). It’s important to pay attention both to who the message is from, and where it’s sending you to.
  • If you’re ever asked to log in to an online service via a provided link, don’t. Go directly to the service’s main site and log in from there.
  • Only install apps from sources you trust.
  • When an app asks you to grant it special permissions, especially if it wants access to your files, camera, or microphone, comply with caution.
  • Stay alert!

Sources